Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 12.1.4, 22.214.171.124, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Aug 26, 2016
If you disable proxy-support inside a v1 ike-peer, the config will not work because the racoon daemon cannot send proper identifying information to tmm in a GETSPI request. (The source appears to be localhost 127.0.0.1, which does not identify the peer, so no SPI can be allocated.)
IPsec tunnels for IKEv1 cannot be established when proxy-support is disabled in the racoon daemon.
In a v1 ike-peer, disable proxy-support.
Enable proxy-support in the ike-peer config definition. Note: In a v1 ike-peer, proxy-support must be enabled for a v1 peer to work. This is the default value, and should not be changed.
On the responder side, a logged line will say 'check IKE-PEER proxy support' in part of the message, to explains GETSPI failure, as a suggestion to fix this in the ike-peer config.